DetectionHunter
back to roadmap
Phase 2·T1059.001·Moderate

Office → Script Interpreter Execution Chains

Office → wscript/cscript/mshta → powershell is a textbook delivery chain.

#Sysmon#Behavioral

Detection Objective

Detect 3+ depth chains starting at an Office app and ending in PowerShell.

Real-World Attack Scenario

Word → mshta → powershell -enc → next-stage download.

Why This Detection Matters

Higher-confidence than any single edge in the chain.

ATT&CK Mapping

T1059.001 · PowerShell
Tactic: Execution

Required Telemetry

  • SysmonEID 1 process tree
Windows Event IDs
Sysmon Event IDs
1
Wazuh Log Source
Sysmon/Operational

Setup Steps

  1. Sysmon with ProcessGuid + ParentProcessGuid.

Safe Validation Command

Simulate a multi-hop chain in a VM lab only.
VBA: Shell "mshta.exe vbscript:CreateObject(""WScript.Shell"").Run(""powershell.exe Write-Host detection-test"")"
⚠ lab use only · this project does not execute real malware

Expected Log Output

Three Sysmon EID 1 events linked by ProcessGuid lineage

Detection Logic (Wazuh rule concept)

Build a process tree on ProcessGuid. Alert when root.Image ~ Office AND any descendant.Image ~ powershell|pwsh.

False Positives

  • Office macros legitimately used by finance teams (rare)

Tuning Recommendations

  • Per-OU allowlist for known macro authors.

Analyst Triage Notes

  • Acquire the originating document.

Detection Improvement Ideas

  • Visualize tree in the analyst UI.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100186
Office → Script Interpreter Execution Chains
Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
CommandLine
VBA: Shell "mshta.exe vbscript:CreateObject(""WScript.Shell"").Run(""powershell.exe Write-Host detection-test"")"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Acquire the originating document.

Parent → Child Analysis

WINWORD.EXE → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • (no high-risk flags in this test)
    Signal value comes from context (parent, network, persistence) rather than flags.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  • CommandLineArguments — where attacker intent shows up.
    VBA: Shell "mshta.exe vbscript:CreateObject(""WScript.Shell"").Run(""powershell.exe Write-Host detection-test"")"
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Sysmon EID 1
  • Wazuh Rule IDRule that matched and produced this alert.
    100186
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
Office → Script Interpreter Execution Chains
description
Word → mshta → powershell -enc → next-stage download.
analyst takeaway
Higher-confidence than any single edge in the chain. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
VBA: Shell "mshta.exe vbscript:CreateObject(""WScript.Shell"").Run(""powershell.exe Write-Host detection-test"")"
expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100186 — "Office → Script Interpreter Execution Chains" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.